Lateral movement can quickly take a breach from bad to catastrophic. A sophisticated and prevalent attack technique, lateral movement is an advanced persistent threat (APT) that can be difficult to detect and combat.
Unfortunately, preventative security isn’t enough to keep lateral movement attacks at bay. In today’s treacherous cybersecurity climate, experts advise us to think of attacks as inevitable: plan for when they occur rather than if. It’s critical that organizations develop measures to both prevent lateral movement attacks and mitigate them when they occur to minimize damage.
To help organizations understand how to approach lateral movement, this blog covers the basics of lateral movement as well as top detection, prevention, and mitigation methods.
What Is Lateral Movement?
Lateral movement is the access of additional resources or elements in an organization’s infrastructure after initial entry. Often, lateral movement involves gathering elevated credentials and permissions to access more critical and sensitive data. It’s one of the top ways cybercriminals maximize damage during an attack.
As CrowdStrike puts it, “lateral movement is a key tactic that distinguishes today’s advanced persistent threats (APTs) from simplistic cyberattacks of the past.” APTs are sophisticated and stealthy attacks that gain prolonged access to a network, facilitating reconnaissance, strategic attack planning, and critical data compromise.
How Does Lateral Movement Work?
Lateral movement starts with initial access to an account, network, or resource, and escalates as the attacker leverages that access to move through the infrastructure. Typically, lateral movement attackers carve themselves a path to the most critical data by breaking through security layers and gathering additional privileges. Often, they hold this data for ransom in ransomware attacks, which are growing in popularity and considered a top security threat.
While there is no one way for lateral movement attacks to unfold, they typically follow certain patterns and go through some of the same key steps. The following are some of the most common tactics and steps in a typical lateral movement attack.
Network or Infrastructure Access
Lateral movement requires initial access to the network or infrastructure. Bad actors can gain this initial access through just about any weak point in the infrastructure, from an unprotected server to a vulnerable application or an employee account. Initial access doesn’t always require sophisticated hacking techniques: phishing attacks, for example, use low-tech tactics that are highly effective in tricking users into sharing account access with threat actors.
This initial resource access becomes the vehicle bad actors use to traverse the network or infrastructure. In systems where a traditional perimeter is the main barrier to entry, lateral movement can occur unhindered as soon as the actor gains access to the main network. In environments with continuous authentication, however, the access would stop there unless the bad actor is able to get through the next authentication point.
Privilege Gathering and Escalation
Attackers often gain access to additional resources by using a legitimate account, either infiltrating an account that already has high-level access privileges or infiltrating a standard account and adding to or escalating its privileges. To seize high-permission accounts directly, attackers may use targeted initial infiltration techniques, like whaling. To gather or escalate privileges on a standard account, attackers often leverage network or operating system vulnerabilities. This method typically involves more reconnaissance and back-end manipulation.
Many attackers wait to strike, leveraging lateral movement for reconnaissance and attack preparation purposes. Often, this includes scouting out ways to gain administrative privileges and pathways to the most sensitive data.
After conducting reconnaissance, cybercriminals can mount a swift, coordinated attack. Usually, these attacks do the most damage to the most critical resources — and in many cases, attackers freeze these critical resources until paid a hefty ransom.
Hackers often look for credentials to steal once inside an organization’s infrastructure. Often, they can find and pull many at once; some systems, for example, store clear-text passwords that hackers can immediately put to use. Credential dumping is the process of copying and exfiltrating those credentials, either to use as part of their attack (e.g., to escalate their privileges) or to sell, hold for ransom, or otherwise compromise.
How to Detect Lateral Movement
Because lateral movement can masquerade as a legitimate user and move from resource to resource, it can be hard to detect. Further, movement among accounts and resources makes stopping an attack difficult: shutting down the original compromised resource wouldn’t lock the attacker out of the additional resources they gained access to through lateral movement. So, how can organizations defend against lateral movement attacks?
One of the best ways to stop and minimize the damage of lateral movement is through early detection. Detecting an attacker before they can gather and elevate their access minimizes the attack’s spread and makes it easier to remove them from the network.
The key to detecting lateral movement is gaining thorough understanding and visibility of your network and infrastructure with the right reporting tools. At a minimum, your reporting system should have sufficient event logging to allow security teams to follow a lateral movement attack’s path; the more robust your reporting tool, the better chances you have of detecting and stopping attacks. The JumpCloud directory, for example, consolidates the IT infrastructure in one platform and can report on everything from mobile device activity to SAML events at once. This makes it easy to view and analyze end-to-end events across users, devices, applications, networks, and more.
Ideally, reporting tools should combine with activity analysis and alerts to head off suspicious activity. Read on to learn more about detecting and mitigating lateral movement with behavior analysis and threat hunting.
Telemetry can be enhanced with behavior analysis for better lateral movement detection and prevention. Examples of detectable behaviors that might indicate a lateral movement attack include:
- Logins that don’t follow the typical pattern (like a 9-to-5 employee logging on at 1 a.m.).
- Strange administrative activity (like permission elevation that conflicts with the principle of least privilege).
- Suspicious access or treatment of confidential data (like unexplained file server access or mass data downloads).
IT teams should have a reporting tool that grants them the visibility to detect suspicious activity. In addition, some behavior analysis tools can alert and react to suspicious activity in real time. For example, a solution could alert the security team and immediately suspend an account that gained unexpected admin access.
Proactive Threat Hunting
Unfortunately, automated behavior analysis isn’t always accurate, and frequent false positives in alert systems generate alert fatigue: it’s not uncommon for legitimate alerts to be dismissed as false alarms. Thus, automated alert systems are more secure when supplemented with proactive threat hunting.
Proactive threat hunting draws on machine learning, research, and intelligence around emerging threats, and close study of the organization’s environment to form and test hypotheses around the most likely and dangerous threats to an environment. Proactive threat hunting is generally much more nuanced and accurate than computer-driven behavior analysis; while usually more costly, it can provide significant security benefits to an organization.
Prevent and Mitigate Lateral Movement by Implementing Zero Trust
Lateral movement is particularly dangerous for businesses that rely on perimeter security, where rings of security — like a firewall-based perimeter — protect the central network. Perimeter security is like locking the front door to a single-family home: it creates a barrier to entry, but if someone were to find a way in (either by finding a key or breaking in), they would be able to move unhindered from room to room. The initial entry would grant them access to everything inside the house.
Now compare that to an apartment building. Apartment buildings can’t afford to risk allowing one lock to grant access to every unit; instead, they protect their outer perimeter with lock and key, and then lock the individual units inside that perimeter. This way, even if someone gained access to the outer building door, they wouldn’t be able to enter any units. And even if a burglar did happen to stumble upon a keyring with a key to the outer door and a unit door, they could gain access to that unit, but every other unit would remain secure. The potential for lateral movement is significantly lower.
Zero Trust security does essentially this: it locks every resource rather than just locking the “front door.” Zero Trust’s mantra is “never trust, always verify”: instead of accepting initial network authentication as enough to grant full access to the organization’s resources, Zero Trust prescribes the principle of least privilege and secure authentication everywhere. This prevents lateral movement and mitigates its spread, minimizing the chances of data compromise and reducing damage in the event of a breach.
The following Zero Trust implementations help minimize lateral movement:
Multi-factor authentication (MFA) significantly improves authentication security from the traditional username/password method. Passwords are notoriously susceptible to compromise; MFA, on the other hand, requires authentication factors that are much harder to fake, guess, or crack, like timely access to a user’s personal smartphone. This improved security makes it a critical element of a Zero Trust architecture.
When implemented throughout a network, MFA significantly restricts lateral movement. Instead of allowing one set of credentials to gain access to all the resources a user is assigned, MFA requires continuous authentication. In the spirit of Zero Trust’s mantra of assuming users are untrusted until validated, MFA everywhere forces a user to prove their identity at every new resource access attempt. This way, even if a bad actor gained access to one account, they wouldn’t necessarily be able to access anything else with it.
Microsegmentation separates networks, cloud environments, or data centers into discrete units without pathways from one to another. Different microsegments can be configured to strategically host different resources; for example, an organization could create a high-privilege microsegment that houses high-security items, which could never be accessed through the main network. For even better security, the organization could then further divide its high-security microsegment to prevent lateral movement from one high-priority resource to another.
Insights into network traffic and activity — especially when coupled with security solutions like security information and event management (SIEM) and proactive threat hunting — can prevent lateral movement by catching suspicious activity in real time. The faster security teams become aware of a possible breach, the better chance they have of shutting it down before it spreads through lateral movement.
Least Privilege Access
The principle of least privilege prescribes that users should only be given access to what they need to do their work. The more privileges a user has, the more of a liability their account is. Keeping access permissions restricted by need reduces the amount of lateral movement a threat actor can accomplish from any one account.
Conditional access can either relax or heighten authentication requirements based on the conditions of a login. An IT administrator could set up conditional access policies to require MFA or deny access altogether if the conditions of a login are unexpected or questionable. This helps automate lateral movement mitigation by increasing authentication requirements in suspicious conditions.
Universal directories can combine the above functions for an ecosystem that works seamlessly through smooth, native integrations and clear reporting. JumpCloud, for example, combines identity and access management (IAM), mobile device management (MDM), MFA, conditional access, system and directory insights, and more into one platform, keeping everything visible and reporting to the same source of truth. This clarity makes lateral movement easier to detect, and the combination of security measures like MFA and conditional access policies combat lateral movement.
Dive Deeper Into Zero Trust
Zero Trust architecture effectively prevents and mitigates lateral movement with continuous safeguards. It’s an organization’s best bet for preventing and mitigating lateral movement attacks, and many organizations are making the switch from perimeter security to Zero Trust.
But Zero Trust is a broad concept, and it can be difficult to wrap your head around — especially for lean IT teams working under strained timelines and budgets. For a quick, tailored dive into what you need to know about Zero Trust to start implementing it to protect your organization, download the whitepaper, Zero Trust Demystified.